allow tools to syslog

doc/man/man8/slapacl.8

@@ -5,13 +5,14 @@
 slapacl \- Check access to a list of attributes.
 .SH SYNOPSIS
 .B SBINDIR/slapacl
-.B [\-v]
+.B \-b DN
 .B [\-d level]
+.B [\-D authcDN | \-U authcID]
 .B [\-f slapd.conf]
 .B [\-F confdir]
-.B [\-D authcDN | \-U authcID]
+.B [\-o name[=value]
-.B \-b DN
 .B [\-u]
+.B [\-v]
 .B [\-X authzID | \-o authzDN=DN]
 .B [attr[/access][:value]] [...]
 .LP
@@ -35,13 +36,25 @@ pseudo-attribute is tested.
 .LP
 .SH OPTIONS
 .TP
-.B \-v
+.BI \-b " DN"
-enable verbose mode.
+specify the 
+.B DN 
+which access is requested to; the corresponding entry is fetched 
+from the database, and thus it must exist.
+The DN is also used to determine what rules apply; thus, it must be
+in the naming context of a configured database.  See also
+.BR \-u .
 .TP
 .BI \-d " level"
 enable debugging messages as defined by the specified
 .IR level .
 .TP
+.BI \-D " authcDN"
+specify a DN to be used as identity through the test session
+when selecting appropriate
+.B <by> 
+clauses in access lists.
+.TP
 .BI \-f " slapd.conf"
 specify an alternative
 .BR slapd.conf (5)
@@ -60,62 +73,42 @@ default config directory will be made before trying to use the default
 config file. If a valid config directory exists then the
 default config file is ignored.
 .TP
-.BI \-D " authcDN"
-specify a DN to be used as identity through the test session
-when selecting appropriate
-.B <by> 
-clauses in access lists.
-.TP
-.BI \-U " authcID"
-specify an ID to be mapped to a 
-.B DN 
-as by means of 
-.B authz-regexp
-or
-.B authz-rewrite
-rules (see 
-.BR slapd.conf (5)
-for details); mutually exclusive with
-.BR \-D .
-.TP
-.BI \-X " authzID"
-specify an authorization ID to be mapped to a
-.B DN
-as by means of
-.B authz-regexp
-or
-.B authz-rewrite
-rules (see
-.BR slapd.conf (5)
-for details); mutually exclusive with \fB\-o\fP \fIauthzDN=DN\fP.
-.TP
 .BI \-o " option[=value]"
 Specify an
 .BR option
 with a(n optional)
 .BR value .
-Possible options/values are:
+Possible generic options/values are:
 .LP
 .nf
-              sockurl
+              syslog=<subsystems>  (see `\-s' in slapd(8))
+              syslog-level=<level> (see `\-S' in slapd(8))
+              syslog-user=<user>   (see `\-l' in slapd(8))
+
+.fi
+.RS
+Possible options/values specific to
+.B slapacl
+are:
+.RE
+.nf
+
+              authzDN
               domain
               peername
-              sockname
-              ssf
-              transport_ssf
-              tls_ssf
               sasl_ssf
-              authzDN
+              sockname
+              sockurl
+              ssf
+              tls_ssf
+              transport_ssf
+
 .fi
-.TP
+.RS
-.BI \-b " DN"
+See the related fields in
-specify the 
+.BR slapd.access (5)
-.B DN 
+for details.
-which access is requested to; the corresponding entry is fetched 
+.RE
-from the database, and thus it must exist.
-The DN is also used to determine what rules apply; thus, it must be
-in the naming context of a configured database.  See also
-.BR \-u .
 .TP
 .BI \-u
 do not fetch the entry from the database.
@@ -131,6 +124,32 @@ option is still used to select what rules apply; thus, it must be
 in the naming context of a configured database.
 See also
 .BR \-b .
+.TP
+.BI \-U " authcID"
+specify an ID to be mapped to a 
+.B DN 
+as by means of 
+.B authz-regexp
+or
+.B authz-rewrite
+rules (see 
+.BR slapd.conf (5)
+for details); mutually exclusive with
+.BR \-D .
+.TP
+.B \-v
+enable verbose mode.
+.TP
+.BI \-X " authzID"
+specify an authorization ID to be mapped to a
+.B DN
+as by means of
+.B authz-regexp
+or
+.B authz-rewrite
+rules (see
+.BR slapd.conf (5)
+for details); mutually exclusive with \fB\-o\fP \fIauthzDN=DN\fP.
 .SH EXAMPLES
 The command
 .LP

doc/man/man8/slapadd.8

@@ -6,18 +6,19 @@
 slapadd \- Add entries to a SLAPD database
 .SH SYNOPSIS
 .B SBINDIR/slapadd
-.B [\-v]
+.B [\-b suffix]
 .B [\-c]
 .B [\-g]
-.B [\-u]
-.B [\-q]
-.B [\-w]
 .B [\-d level]
-.B [\-b suffix]
-.B [\-n dbnum]
 .B [\-f slapd.conf]
 .B [\-F confdir]
 .B [\-l ldif-file]
+.B [\-n dbnum]
+.B [\-o name[=value]
+.B [\-q]
+.B [\-u]
+.B [\-v]
+.B [\-w]
 .SH DESCRIPTION
 .LP
 .B Slapadd
@@ -43,40 +44,6 @@ schema checks, and does not maintain operational
 attributes (such as createTimeStamp and modifiersName). 
 .SH OPTIONS
 .TP
-.B \-v
-enable verbose mode.
-.TP
-.B \-c
-enable continue (ignore errors) mode.
-.TP
-.B \-g
-disable subordinate gluing.  Only the specified database will be
-processed, and not its glued subordinates (if any).
-.TP
-.B -s
-disable schema checking.  This option is intended to be used when loading
-databases containing special objects, such as fractional objects on a
-partial replica.  Loading normal objects which do not conform to
-schema may result in unexpected and ill behavior.
-.TP
-.B \-u
-enable dry-run (don't write to backend) mode.
-.TP
-.B \-q
-enable quick (fewer integrity checks) mode.  Does fewer consistency checks
-on the input data, and no consistency checks when writing the database.
-Improves the load time but if any errors or interruptions occur the resulting
-database will be unusable.
-.TP
-.BI \-w
-write syncrepl context information.
-After all entries are added, the contextCSN
-will be updated with the greatest CSN in the database.
-.TP
-.BI \-d " level"
-enable debugging messages as defined by the specified
-.IR level .
-.TP
 .BI \-b " suffix" 
 Use the specified \fIsuffix\fR to determine which database to
 add entries to.  The \-b cannot be used in conjunction
@@ -84,13 +51,12 @@ with the
 .B \-n
 option.
 .TP
-.BI \-n " dbnum"
+.B \-c
-Add entries to the \fIdbnum\fR\-th database listed in the
+enable continue (ignore errors) mode.
-configuration file.  The
+.TP
-.B \-n
+.BI \-d " level"
-cannot be used in conjunction with the
+enable debugging messages as defined by the specified
-.B \-b
+.IR level .
-option.
 .TP
 .BI \-f " slapd.conf"
 specify an alternative
@@ -111,8 +77,57 @@ config file. If a valid config directory exists then the
 default config file is ignored. If dryrun mode is also specified,
 no conversion will occur.
 .TP
+.B \-g
+disable subordinate gluing.  Only the specified database will be
+processed, and not its glued subordinates (if any).
+.TP
 .BI \-l " ldif-file"
 Read LDIF from the specified file instead of standard input.
+.TP
+.BI \-n " dbnum"
+Add entries to the \fIdbnum\fR\-th database listed in the
+configuration file.  The
+.B \-n
+cannot be used in conjunction with the
+.B \-b
+option.
+.TP
+.BI \-o " option[=value]"
+Specify an
+.BR option
+with a(n optional)
+.BR value .
+Possible generic options/values are:
+.LP
+.nf
+              syslog=<subsystems>  (see `\-s' in slapd(8))
+              syslog-level=<level> (see `\-S' in slapd(8))
+              syslog-user=<user>   (see `\-l' in slapd(8))
+
+.fi
+.TP
+.B \-q
+enable quick (fewer integrity checks) mode.  Does fewer consistency checks
+on the input data, and no consistency checks when writing the database.
+Improves the load time but if any errors or interruptions occur the resulting
+database will be unusable.
+.TP
+.B -s
+disable schema checking.  This option is intended to be used when loading
+databases containing special objects, such as fractional objects on a
+partial replica.  Loading normal objects which do not conform to
+schema may result in unexpected and ill behavior.
+.TP
+.B \-u
+enable dry-run (don't write to backend) mode.
+.TP
+.B \-v
+enable verbose mode.
+.TP
+.BI \-w
+write syncrepl context information.
+After all entries are added, the contextCSN
+will be updated with the greatest CSN in the database.
 .SH LIMITATIONS
 Your
 .BR slapd (8)

doc/man/man8/slapauth.8

@@ -5,13 +5,14 @@
 slapauth \- Check a list of string-represented IDs for authc/authz.
 .SH SYNOPSIS
 .B SBINDIR/slapauth
-.B [\-v]
 .B [\-d level]
 .B [\-f slapd.conf]
 .B [\-F confdir]
 .B [\-M mech]
+.B [\-o name[=value]
 .B [\-R realm]
 .B [\-U authcID]
+.B [\-v]
 .B [\-X authzID]
 .B ID [...]
 .LP
@@ -33,9 +34,6 @@ list given on the command-line.
 .LP
 .SH OPTIONS
 .TP
-.B \-v
-enable verbose mode.
-.TP
 .BI \-d " level"
 enable debugging messages as defined by the specified
 .IR level .
@@ -61,6 +59,20 @@ default config file is ignored.
 .BI \-M " mech"
 specify a mechanism.
 .TP
+.BI \-o " option[=value]"
+Specify an
+.BR option
+with a(n optional)
+.BR value .
+Possible generic options/values are:
+.LP
+.nf
+              syslog=<subsystems>  (see `\-s' in slapd(8))
+              syslog-level=<level> (see `\-S' in slapd(8))
+              syslog-user=<user>   (see `\-l' in slapd(8))
+
+.fi
+.TP
 .BI \-R " realm"
 specify a realm.
 .TP
@@ -86,6 +98,9 @@ If both
 and
 .I authzID
 are given via command line switch, the ID list cannot be present.
+.TP
+.B \-v
+enable verbose mode.
 .SH EXAMPLES
 The command
 .LP

doc/man/man8/slapcat.8

@@ -6,17 +6,18 @@
 slapcat \- SLAPD database to LDIF utility
 .SH SYNOPSIS
 .B SBINDIR/slapcat
-.B [\-v]
-.B [\-c]
-.B [\-g]
-.B [\-d level]
-.B [\-b suffix]
-.B [\-n dbnum]
 .B [\-a filter]
-.B [\-s subtree-dn]
+.B [\-b suffix]
+.B [\-c]
+.B [\-d level]
 .B [\-f slapd.conf]
 .B [\-F confdir]
+.B [\-g]
 .B [\-l ldif-file]
+.B [\-n dbnum]
+.B [\-o name[=value]
+.B [\-s subtree-dn]
+.B [\-v]
 .B 
 .LP
 .SH DESCRIPTION
@@ -48,35 +49,6 @@ into superior first order and removing no-user-modification
 operational attributes.
 .SH OPTIONS
 .TP
-.B \-v
-Enable verbose mode.
-.TP
-.B \-c
-Enable continue (ignore errors) mode.
-.TP
-.B \-g
-disable subordinate gluing.  Only the specified database will be
-processed, and not its glued subordinates (if any).
-.TP
-.BI \-d " level"
-Enable debugging messages as defined by the specified
-.IR level .
-.TP
-.BI \-b " suffix" 
-Use the specified \fIsuffix\fR to determine which database to
-generate output for.  The \-b cannot be used in conjunction
-with the
-.B \-n
-option.
-.TP
-.BI \-n " dbnum"
-Generate output for the \fIdbnum\fR\-th database listed in the
-configuration file.  The
-.B \-n
-cannot be used in conjunction with the
-.B \-b
-option.
-.TP
 .BI \-a " filter"
 Only dump entries matching the asserted filter.
 For example
@@ -87,13 +59,19 @@ slapcat -a \\
 will dump all but the "ou=People,dc=example,dc=com" subtree
 of the "dc=example,dc=com" database.
 .TP
-.BI \-s " subtree-dn"
+.BI \-b " suffix" 
-Only dump entries in the subtree specified by this DN.
+Use the specified \fIsuffix\fR to determine which database to
-Implies `-b subtree-dn' if no
+generate output for.  The \-b cannot be used in conjunction
-.B \-b
+with the
-or
 .B \-n
-option is given.
+option.
+.TP
+.B \-c
+Enable continue (ignore errors) mode.
+.TP
+.BI \-d " level"
+Enable debugging messages as defined by the specified
+.IR level .
 .TP
 .BI \-f " slapd.conf"
 Specify an alternative
@@ -113,8 +91,45 @@ default config directory will be made before trying to use the default
 config file. If a valid config directory exists then the
 default config file is ignored.
 .TP
+.B \-g
+disable subordinate gluing.  Only the specified database will be
+processed, and not its glued subordinates (if any).
+.TP
 .BI \-l " ldif-file"
 Write LDIF to specified file instead of standard output.
+.TP
+.BI \-n " dbnum"
+Generate output for the \fIdbnum\fR\-th database listed in the
+configuration file.  The
+.B \-n
+cannot be used in conjunction with the
+.B \-b
+option.
+.TP
+.BI \-o " option[=value]"
+Specify an
+.BR option
+with a(n optional)
+.BR value .
+Possible generic options/values are:
+.LP
+.nf
+              syslog=<subsystems>  (see `\-s' in slapd(8))
+              syslog-level=<level> (see `\-S' in slapd(8))
+              syslog-user=<user>   (see `\-l' in slapd(8))
+
+.fi
+.TP
+.BI \-s " subtree-dn"
+Only dump entries in the subtree specified by this DN.
+Implies `-b subtree-dn' if no
+.B \-b
+or
+.B \-n
+option is given.
+.TP
+.B \-v
+Enable verbose mode.
 .SH LIMITATIONS
 In general, your
 .BR slapd (8)

doc/man/man8/slapdn.8

@@ -5,11 +5,12 @@
 slapdn \- Check a list of string-represented DNs based on schema syntax.
 .SH SYNOPSIS
 .B SBINDIR/slapdn
-.B [\-v]
 .B [\-d level]
 .B [\-f slapd.conf]
 .B [\-F confdir]
 .B [\-N | \-P]
+.B [\-o name[=value]
+.B [\-v]
 .B DN [...]
 .LP
 .SH DESCRIPTION
@@ -29,9 +30,6 @@ list given on the command-line.
 .LP
 .SH OPTIONS
 .TP
-.B \-v
-enable verbose mode.
-.TP
 .BI \-d " level"
 enable debugging messages as defined by the specified
 .IR level .
@@ -59,10 +57,27 @@ only output a normalized form of the DN, suitable to be used
 in a normalization tool; incompatible with
 .BR \-P .
 .TP
+.BI \-o " option[=value]"
+Specify an
+.BR option
+with a(n optional)
+.BR value .
+Possible generic options/values are:
+.LP
+.nf
+              syslog=<subsystems>  (see `\-s' in slapd(8))
+              syslog-level=<level> (see `\-S' in slapd(8))
+              syslog-user=<user>   (see `\-l' in slapd(8))
+
+.fi
+.TP
 .BI \-P
 only output a prettified form of the DN, suitable to be used
 in a check and beautification tool; incompatible with
 .BR \-N .
+.TP
+.B \-v
+enable verbose mode.
 .SH EXAMPLES
 To check a
 .B DN

doc/man/man8/slapindex.8

@@ -6,15 +6,16 @@
 slapindex \- SLAPD index to LDIF utility
 .SH SYNOPSIS
 .B SBINDIR/slapindex
-.B [\-v]
-.B [\-c]
-.B [\-g]
-.B [\-q]
-.B [\-d level]
 .B [\-b suffix]
-.B [\-n dbnum]
+.B [\-c]
+.B [\-d level]
 .B [\-f slapd.conf]
 .B [\-F confdir]
+.B [\-g]
+.B [\-n dbnum]
+.B [\-o name[=value]
+.B [\-q]
+.B [\-v]
 .B 
 .LP
 .SH DESCRIPTION
@@ -31,27 +32,6 @@ Databases configured as
 of this one are also re-indexed, unless \fB-g\fP is specified.
 .SH OPTIONS
 .TP
-.B \-v
-enable verbose mode.
-.TP
-.B \-c
-enable continue (ignore errors) mode.
-.TP
-.B \-g
-disable subordinate gluing.  Only the specified database will be
-processed, and not its glued subordinates (if any).
-.TP
-.B \-q
-enable quick (fewer integrity checks) mode. Performs no consistency checks
-when writing the database. Improves indexing time,
-.B however
-the database will most likely be unusable if any errors or
-interruptions occur.
-.TP
-.BI \-d " level"
-enable debugging messages as defined by the specified
-.IR level .
-.TP
 .BI \-b " suffix" 
 Use the specified \fIsuffix\fR to determine which database to
 generate output for.  The \-b cannot be used in conjunction
@@ -59,13 +39,12 @@ with the
 .B \-n
 option.
 .TP
-.BI \-n " dbnum"
+.B \-c
-Generate output for the \fIdbnum\fR\-th database listed in the
+enable continue (ignore errors) mode.
-configuration file.  The
+.TP
-.B \-n
+.BI \-d " level"
-cannot be used in conjunction with the
+enable debugging messages as defined by the specified
-.B \-b
+.IR level .
-option.
 .TP
 .BI \-f " slapd.conf"
 specify an alternative
@@ -84,6 +63,42 @@ If neither option is specified, an attempt to read the
 default config directory will be made before trying to use the default
 config file. If a valid config directory exists then the
 default config file is ignored.
+.TP
+.B \-g
+disable subordinate gluing.  Only the specified database will be
+processed, and not its glued subordinates (if any).
+.TP
+.BI \-n " dbnum"
+Generate output for the \fIdbnum\fR\-th database listed in the
+configuration file.  The
+.B \-n
+cannot be used in conjunction with the
+.B \-b
+option.
+.TP
+.BI \-o " option[=value]"
+Specify an
+.BR option
+with a(n optional)
+.BR value .
+Possible generic options/values are:
+.LP
+.nf
+              syslog=<subsystems>  (see `\-s' in slapd(8))
+              syslog-level=<level> (see `\-S' in slapd(8))
+              syslog-user=<user>   (see `\-l' in slapd(8))
+
+.fi
+.TP
+.B \-q
+enable quick (fewer integrity checks) mode. Performs no consistency checks
+when writing the database. Improves indexing time,
+.B however
+the database will most likely be unusable if any errors or
+interruptions occur.
+.TP
+.B \-v
+enable verbose mode.
 .SH LIMITATIONS
 Your
 .BR slapd (8)

doc/man/man8/slaptest.8

@@ -8,6 +8,7 @@ slaptest \- Check the suitability of the slapd.conf file.
 .B [\-d level]
 .B [\-f slapd.conf]
 .B [\-F confdir]
+.B [\-o name[=value]
 .B [\-u]
 .B [\-v]
 .LP
@@ -47,6 +48,20 @@ config file. If a valid config directory exists then the
 default config file is ignored. If dryrun mode is also specified,
 no conversion will occur.
 .TP
+.BI \-o " option[=value]"
+Specify an
+.BR option
+with a(n optional)
+.BR value .
+Possible generic options/values are:
+.LP
+.nf
+              syslog=<subsystems>  (see `\-s' in slapd(8))
+              syslog-level=<level> (see `\-S' in slapd(8))
+              syslog-user=<user>   (see `\-l' in slapd(8))
+
+.fi
+.TP
 .B \-u
 enable dryrun mode (i.e. don't fail if databases cannot be opened,
 but config is fine).

servers/slapd/main.c

@@ -106,10 +106,6 @@ static int version = 0;
 void *slap_tls_ctx;
 LDAP *slap_tls_ld;
 
-#ifdef LOG_LOCAL4
-#define DEFAULT_SYSLOG_USER	LOG_LOCAL4
-#endif /* LOG_LOCAL4 */
-
 static int
 slapd_opt_slp( const char *val, void *arg )
 {
@@ -162,7 +158,7 @@ struct option_helper {
 
 #if defined(LDAP_DEBUG) && defined(LDAP_SYSLOG)
 #ifdef LOG_LOCAL4
-static int
+int
 parse_syslog_user( const char *arg, int *syslogUser )
 {
 	static slap_verbmasks syslogUsers[] = {
@@ -182,12 +178,12 @@ parse_syslog_user( const char *arg, int *syslogUser )
 #endif /* LOG_DAEMON */
 		{ BER_BVNULL, 0 }
 	};
-	int i = verb_to_mask( optarg, syslogUsers );
+	int i = verb_to_mask( arg, syslogUsers );
 
 	if ( BER_BVISNULL( &syslogUsers[ i ].word ) ) {
 		Debug( LDAP_DEBUG_ANY,
 			"unrecognized syslog user \"%s\".\n",
-			optarg, 0, 0 );
+			arg, 0, 0 );
 		return 1;
 	}
 
@@ -197,7 +193,7 @@ parse_syslog_user( const char *arg, int *syslogUser )
 }
 #endif /* LOG_LOCAL4 */
 
-static int
+int
 parse_syslog_level( const char *arg, int *levelp )
 {
 	static slap_verbmasks	str2syslog_level[] = {
@@ -352,7 +348,7 @@ int main( int argc, char **argv )
 	char *sandbox = NULL;
 #endif
 #ifdef LOG_LOCAL4
-	int syslogUser = DEFAULT_SYSLOG_USER;
+	int syslogUser = SLAP_DEFAULT_SYSLOG_USER;
 #endif
 	
 	int g_argc = argc;

servers/slapd/proto-slap.h

@@ -1021,6 +1021,10 @@ LDAP_SLAPD_F (int) lock_fclose LDAP_P(( FILE *fp, FILE *lfp ));
 LDAP_SLAPD_F (int)
 parse_debug_level LDAP_P(( const char *arg, int *levelp, char ***unknowns ));
 LDAP_SLAPD_F (int)
+parse_syslog_level LDAP_P(( const char *arg, int *levelp ));
+LDAP_SLAPD_F (int)
+parse_syslog_user LDAP_P(( const char *arg, int *syslogUser ));
+LDAP_SLAPD_F (int)
 parse_debug_unknowns LDAP_P(( char **unknowns, int *levelp ));
 
 /*

servers/slapd/slap.h

@@ -2681,21 +2681,27 @@ typedef struct slap_conn {
 	SEND_LDAP_INTERMEDIATE *c_send_ldap_intermediate;
 } Connection;
 
-#if defined(LDAP_SYSLOG) && defined(LDAP_DEBUG)
+#ifdef LDAP_DEBUG
+#ifdef LDAP_SYSLOG
+#ifdef LOG_LOCAL4
+#define SLAP_DEFAULT_SYSLOG_USER	LOG_LOCAL4
+#endif /* LOG_LOCAL4 */
+
 #define Statslog( level, fmt, connid, opid, arg1, arg2, arg3 )	\
 	Log5( (level), ldap_syslog_level, (fmt), (connid), (opid), (arg1), (arg2), (arg3) )
 #define StatslogTest( level ) ((ldap_debug | ldap_syslog) & (level))
-#elif defined(LDAP_DEBUG)
+#else /* !LDAP_SYSLOG */
 #define Statslog( level, fmt, connid, opid, arg1, arg2, arg3 )	\
 	do { \
 		if ( ldap_debug & (level) ) \
 			fprintf( stderr, (fmt), (connid), (opid), (arg1), (arg2), (arg3) );\
 	} while (0)
 #define StatslogTest( level ) (ldap_debug & (level))
-#else
+#endif /* !LDAP_SYSLOG */
+#else /* !LDAP_DEBUG */
 #define Statslog( level, fmt, connid, opid, arg1, arg2, arg3 ) ((void) 0)
 #define StatslogTest( level ) (0)
-#endif
+#endif /* !LDAP_DEBUG */
 
 /*
  * listener; need to access it from monitor backend

servers/slapd/slapcommon.c

@@ -47,18 +47,26 @@ static FILE *leakfile;
 
 static LDIFFP dummy;
 
+#ifdef LDAP_SYSLOG
+int start_syslog;
+static char **syslog_unknowns;
+#ifdef LOG_LOCAL4
+static int syslogUser = SLAP_DEFAULT_SYSLOG_USER;
+#endif /* LOG_LOCAL4 */
+#endif /* LDAP_SYSLOG */
+
 static void
 usage( int tool, const char *progname )
 {
 	char *options = NULL;
 	fprintf( stderr,
-		"usage: %s [-v] [-d debuglevel] [-f configfile] [-F configdir]",
+		"usage: %s [-v] [-d debuglevel] [-f configfile] [-F configdir] [-o <name>[=<value>]]",
 		progname );
 
 	switch( tool ) {
 	case SLAPACL:
 		options = "\n\t[-U authcID | -D authcDN] [-X authzID | -o authzDN=<DN>]"
-			"\n\t-b DN -o <var>[=<val>] [-u] [attr[/access][:value]] [...]\n";
+			"\n\t-b DN [-u] [attr[/access][:value]] [...]\n";
 		break;
 
 	case SLAPADD:
@@ -95,19 +103,17 @@ usage( int tool, const char *progname )
 }
 
 static int
-parse_slapacl( void )
+parse_slapopt( void )
 {
-	size_t	len;
+	size_t	len = 0;
 	char	*p;
 
 	p = strchr( optarg, '=' );
-	if ( p == NULL ) {
+	if ( p != NULL ) {
-		return -1;
+		len = p - optarg;
+		p++;
 	}
 
-	len = p - optarg;
-	p++;
-
 	if ( strncasecmp( optarg, "sockurl", len ) == 0 ) {
 		if ( !BER_BVISNULL( &listener_url ) ) {
 			ber_memfree( listener_url.bv_val );
@@ -159,6 +165,28 @@ parse_slapacl( void )
 	} else if ( strncasecmp( optarg, "authzDN", len ) == 0 ) {
 		ber_str2bv( p, 0, 1, &authzDN );
 
+#ifdef LDAP_SYSLOG
+	} else if ( strncasecmp( optarg, "syslog", len ) == 0 ) {
+		if ( parse_debug_level( p, &ldap_syslog, &syslog_unknowns ) ) {
+			return -1;
+		}
+		start_syslog = 1;
+
+	} else if ( strncasecmp( optarg, "syslog-level", len ) == 0 ) {
+		if ( parse_syslog_level( p, &ldap_syslog_level ) ) {
+			return -1;
+		}
+		start_syslog = 1;
+
+#ifdef LOG_LOCAL4
+	} else if ( strncasecmp( optarg, "syslog-user", len ) == 0 ) {
+		if ( parse_syslog_user( p, &syslogUser ) ) {
+			return -1;
+		}
+		start_syslog = 1;
+#endif /* LOG_LOCAL4 */
+#endif /* LDAP_SYSLOG */
+
 	} else {
 		return -1;
 	}
@@ -200,6 +228,7 @@ slap_tool_init(
 	 * messages show up; use -d 0 to reset */
 	slap_debug = LDAP_DEBUG_NONE;
 #endif
+	ldap_syslog = 0;
 
 #ifdef CSRIMALLOC
 	leakfilename = malloc( strlen( progname ) + STRLENOF( ".leak" ) + 1 );
@@ -212,31 +241,31 @@ slap_tool_init(
 
 	switch( tool ) {
 	case SLAPADD:
-		options = "b:cd:f:F:gl:n:qstuvw";
+		options = "b:cd:f:F:gl:n:o:qstuvw";
 		break;
 
 	case SLAPCAT:
-		options = "a:b:cd:f:F:gl:n:s:v";
+		options = "a:b:cd:f:F:gl:n:o:s:v";
 		mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
 		break;
 
 	case SLAPDN:
-		options = "d:f:F:NPv";
+		options = "d:f:F:No:Pv";
 		mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
 		break;
 
 	case SLAPTEST:
-		options = "d:f:F:uv";
+		options = "d:f:F:o:uv";
 		mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
 		break;
 
 	case SLAPAUTH:
-		options = "d:f:F:M:R:U:vX:";
+		options = "d:f:F:M:o:R:U:vX:";
 		mode |= SLAP_TOOL_READMAIN | SLAP_TOOL_READONLY;
 		break;
 
 	case SLAPINDEX:
-		options = "b:cd:f:F:gn:qv";
+		options = "b:cd:f:F:gn:o:qv";
 		mode |= SLAP_TOOL_READMAIN;
 		break;
 
@@ -324,7 +353,7 @@ slap_tool_init(
 			break;
 
 		case 'o':
-			if ( parse_slapacl() ) {
+			if ( parse_slapopt() ) {
 				usage( tool, progname );
 			}
 			break;
@@ -382,6 +411,27 @@ slap_tool_init(
 		}
 	}
 
+#ifdef LDAP_SYSLOG
+	if ( start_syslog ) {
+		char *logName;
+#ifdef HAVE_EBCDIC
+		logName = ch_strdup( progname );
+		__atoe( logName );
+#else
+		logName = (char *)progname;
+#endif
+
+#ifdef LOG_LOCAL4
+		openlog( logName, OPENLOG_OPTIONS, syslogUser );
+#elif LOG_DEBUG
+		openlog( logName, OPENLOG_OPTIONS );
+#endif
+#ifdef HAVE_EBCDIC
+		free( logName );
+#endif
+	}
+#endif /* LDAP_SYSLOG */
+
 	switch ( tool ) {
 	case SLAPADD:
 	case SLAPCAT:
@@ -424,8 +474,6 @@ slap_tool_init(
 		break;
 	}
 
-	ldap_syslog = 0;
-
 	if ( ldiffile == NULL ) {
 		dummy.fp = tool == SLAPCAT ? stdout : stdin;
 		ldiffp = &dummy;
@@ -463,6 +511,14 @@ slap_tool_init(
 			exit( EXIT_FAILURE );
 	}
 
+	if ( syslog_unknowns ) {
+		rc = parse_debug_unknowns( syslog_unknowns, &ldap_syslog );
+		ldap_charray_free( syslog_unknowns );
+		syslog_unknowns = NULL;
+		if ( rc )
+			exit( EXIT_FAILURE );
+	}
+
 	at_oc_cache = 1;
 
 	switch ( tool ) {